(Manually renewed) certificate is valid for another 89 days but browsers don't want to hear it

, ,

Hi there!

My YunoHost server

Hardware: Raspberry Pi 3 at home
YunoHost version: 4.4.2.14
I have access to my server : through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain:
I started using Gandi’s API key to make sure my DNS settings were correctly entered. As far as I can tell, the settings are the same as they were when I used to type them up.

Description of my issue

A few days ago, nextcloud, firefox and other services started telling me that the certificate wasn’t valid anymore. Sure enough, when I checked I saw that it had expired a few days prior. I don’t know why it hadn’t renewed automatically this time around but I renewed it manually and the admin interface tells me that all is good:

Great! You’re using a valid Let’s Encrypt certificate!
Certification authority Let’s Encrypt (mydomain.tld)
Validity 85 days

but going to the site from Firefox, even after a few days and/or behind a VPN, I get:

Websites prove their identity via certificates, which are valid for a set time period. The certificate for mydomain.tld expired on 15/12/2022.

Error code: SEC_ERROR_EXPIRED_CERTIFICATE

One last thing: the timing of the certificate renewal may have coincided with that of my home IP changing.

Any idea how I can tell the world that my domain has a valid certificate?
Thank you in advance!

Bonjour et bonne année!

J’ai toujours ce problème de certificat, je ne vois pas comment m’en débarrasser.
En français cette fois-çi!

Mon serveur YunoHost

Hardware: Raspberry Pi 3 at home
YunoHost version: 4.4.2.14
I have access to my server : through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : oui
If yes, please explain:
J’utilise maintenant l’API de Gandi pour m’assurer que les paramètre DNS sont corrects. Autant que je sache, les paramètres n’ont pas changé. (Le problème décrit çi-dessous était déjà présent.)

Description du problème

Mi-Décembre, Nextcloud, Firefox et d’autres services m’ont dit que mon mon certificat n’était plus valide. C’était exact: quand j’ai vérifié, le certificat avait pour date d’expiration le 15 Décember 2022. Je ne sais pas pourquoi il ne s’est pas mis à jour automatiquement 15 jours avant; peut-être parce que mes paramètres DNS n’étaient plus à jour (j’avais changé d’IP) vers cette période.
J’ai mis les paramètres DNS à jour, d’abord manuellement comme d’hab., puis avec l’API de Gandi. J’ai ensuite renouvellé le certificat manuellement.

A priori, tout va bien:

Great! You’re using a valid Let’s Encrypt certificate!
Certification authority Let’s Encrypt (mydomain.tld)
Validity 70 days

Mais Firefox continue de penser que le certificat a expiré:

Websites prove their identity via certificates, which are valid for a set time period. The certificate for mydomain.tld expired on 15/12/2022.

Error code: SEC_ERROR_EXPIRED_CERTIFICATE

Comment puis-je convaincre Firefox et autres services que mon domaine a un nouveau certificat?

Merci d’avance!

Hello,

after installing a new certificate its important to clear the cache and reopen another tab
sometimes after we’ve installed a certificate the same tab were still open, that will avoid the browser from knowing there is a new certificate,

in chrome clearing the cache could be achieved by CTRL + SHIFT + DEL
in firefox settings → security & privacy.

I have sometimes had a ‘stuck’ certificate.

What I did to resolve it, was first revert to a self-signed certificate, and then switch back to LetsEncrypt!

I’m not quite sure what the cause of the hiccup caused at those times.

2 Likes

I had the same issue some time ago and solved it like this. Revert back to a self-signed certificate then install a new one from letsencrypt

Thank you all. This is interesting: I attempted to use a self-certificate and then one from Let’s Encrypt. It turns out that in both cases I have an error message:

args:
  names:
  - nginx
ended_at: 2023-01-06 08:54:25.092996
error: 'Could not regenerate the configuration for category(s): nginx'
interface: api
operation: regen_conf
parent: 20230106-085351-letsencrypt_cert_install-maindomain.tld
related_to:
- - configuration
  - nginx
started_at: 2023-01-06 08:54:22.563313
success: false
yunohost_version: 4.4.2.14

============

2023-01-06 08:54:22,604: DEBUG - Executing command '['sh', '-c', '/bin/bash -x "./15-nginx" pre \'\' \'\' /home/yunohost.conf/pending/nginx 7>&1']'
2023-01-06 08:54:22,634: DEBUG - + set -e
2023-01-06 08:54:22,636: DEBUG - + . /usr/share/yunohost/helpers
2023-01-06 08:54:22,640: DEBUG - +++ set +o
2023-01-06 08:54:22,643: DEBUG - +++ grep xtrace
2023-01-06 08:54:22,649: DEBUG - ++ readonly 'XTRACE_ENABLE=set -o xtrace'
2023-01-06 08:54:22,651: DEBUG - ++ XTRACE_ENABLE='set -o xtrace'
2023-01-06 08:54:22,848: DEBUG - + do_pre_regen /home/yunohost.conf/pending/nginx
2023-01-06 08:54:22,851: DEBUG - + pending_dir=/home/yunohost.conf/pending/nginx
2023-01-06 08:54:22,853: DEBUG - + cd /usr/share/yunohost/templates/nginx
2023-01-06 08:54:22,855: DEBUG - + nginx_dir=/home/yunohost.conf/pending/nginx/etc/nginx
2023-01-06 08:54:22,857: DEBUG - + nginx_conf_dir=/home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-06 08:54:22,859: DEBUG - + mkdir -p /home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-06 08:54:22,868: DEBUG - + cp plain/acme-challenge.conf.inc plain/global.conf plain/ssowat.conf plain/yunohost_panel.conf.inc plain/yunohost_sso.conf.inc /home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-06 08:54:22,881: DEBUG - ++ yunohost settings get ssowat.panel_overlay.enabled
2023-01-06 08:54:23,930: WARNING - Error while loading unknown settings Expecting value: line 1 column 1 (char 0)
2023-01-06 08:54:23,936: WARNING - Could not open settings file, reason: Expecting value: line 1 column 1 (char 0)
2023-01-06 08:54:24,083: DEBUG - + panel_overlay=
2023-01-06 08:54:25,087: ERROR - Could not run script: /usr/share/yunohost/hooks/conf_regen/15-nginx
Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/hook.py", line 306, in hook_callback
    path, args=hook_args, chdir=chdir, env=env, raise_on_error=True
  File "/usr/lib/moulinette/yunohost/hook.py", line 393, in hook_exec
    raise YunohostError("hook_exec_failed", path=path)
yunohost.utils.error.YunohostError: Could not run script: /usr/share/yunohost/hooks/conf_regen/15-nginx

(https://paste.yunohost.org/raw/otuceciren)
So it looks like there is a problem when updating the nginx configuration.

Is this problem only occurring on your main domain, or also on others? Did the main domain change lately? Are there any ‘special’ characters in your domain name?

It’s happening for another domain as well: the certificate gets signed but it’s the nginx configuration that fails.

args:
  names:
  - nginx
ended_at: 2023-01-07 12:16:24.393724
error: 'Could not regenerate the configuration for category(s): nginx'
interface: api
operation: regen_conf
parent: 20230107-121541-letsencrypt_cert_install-domain2.tld
related_to:
- - configuration
  - nginx
started_at: 2023-01-07 12:16:21.863601
success: false
yunohost_version: 4.4.2.14

============

2023-01-07 12:16:21,909: DEBUG - Executing command '['sh', '-c', '/bin/bash -x "./15-nginx" pre \'\' \'\' /home/yunohost.conf/pending/nginx 7>&1']'
2023-01-07 12:16:21,939: DEBUG - + set -e
2023-01-07 12:16:21,940: DEBUG - + . /usr/share/yunohost/helpers
2023-01-07 12:16:21,945: DEBUG - +++ set +o
2023-01-07 12:16:21,947: DEBUG - +++ grep xtrace
2023-01-07 12:16:21,954: DEBUG - ++ readonly 'XTRACE_ENABLE=set -o xtrace'
2023-01-07 12:16:21,956: DEBUG - ++ XTRACE_ENABLE='set -o xtrace'
2023-01-07 12:16:22,163: DEBUG - + do_pre_regen /home/yunohost.conf/pending/nginx
2023-01-07 12:16:22,165: DEBUG - + pending_dir=/home/yunohost.conf/pending/nginx
2023-01-07 12:16:22,166: DEBUG - + cd /usr/share/yunohost/templates/nginx
2023-01-07 12:16:22,167: DEBUG - + nginx_dir=/home/yunohost.conf/pending/nginx/etc/nginx
2023-01-07 12:16:22,169: DEBUG - + nginx_conf_dir=/home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-07 12:16:22,170: DEBUG - + mkdir -p /home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-07 12:16:22,178: DEBUG - + cp plain/acme-challenge.conf.inc plain/global.conf plain/ssowat.conf plain/yunohost_panel.conf.inc plain/yunohost_sso.conf.inc /home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-07 12:16:22,187: DEBUG - ++ yunohost settings get ssowat.panel_overlay.enabled
2023-01-07 12:16:23,219: WARNING - Error while loading unknown settings Expecting value: line 1 column 1 (char 0)
2023-01-07 12:16:23,231: WARNING - Could not open settings file, reason: Expecting value: line 1 column 1 (char 0)
2023-01-07 12:16:23,383: DEBUG - + panel_overlay=
2023-01-07 12:16:24,388: ERROR - Could not run script: /usr/share/yunohost/hooks/conf_regen/15-nginx
Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/hook.py", line 306, in hook_callback
    path, args=hook_args, chdir=chdir, env=env, raise_on_error=True
  File "/usr/lib/moulinette/yunohost/hook.py", line 393, in hook_exec
    raise YunohostError("hook_exec_failed", path=path)
yunohost.utils.error.YunohostError: Could not run script: /usr/share/yunohost/hooks/conf_regen/15-nginx

(https://paste.yunohost.org/raw/uwokohihip)

But before the certificate gets regenerated, I see these 2 warnings:

The configuration file '/etc/dnsmasq.d/MYDOMAIN.COM' has been manually modified and will not be updated

grep: /run/resolvconf/resolv.conf: No such file or directory

(MYDOMAIN.COM is not where yunohost is installed, rather yunohost is at ynh.MYDOMAIN.COM)

Now, the fact that /run/resolvconf/resolv.conf doesn’t exist might explain the error later in the process: it looks like the script is trying to parse an empty file (I could be wrong).

There is no special characters in the domain or sub-domain names. It hasn’t changed for years.

I’ve updated to 4.4.2.14 recently, maybe things are done differently now?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.